VSX Routing Concepts
|
Note - Security Groups in (Undefined variable: Vars_ScalablePlatforms.tp_maestro) and (Undefined variable: Vars_ScalablePlatforms.tp_scalable_chassis) do not support Virtual Routers (Known Limitation 01413513). |
Routing Overview
The traffic routing features in VSX network topologies are analogous to those available for physical networks.
This section discusses several routing features and strategies as they apply to a VSX environment.
Routing Between Virtual Systems
Virtual Routers and Virtual Switches can be used to send traffic between networks located behind Virtual Systems, much in the same way as their physical counterparts.
The figure below shows an example of how Virtual Systems, connected to a Virtual Switch and a physical VLAN switch, communicate with each other.
In this example, a host in VLAN 100 sends data to a server located in VLAN 200.
-
Traffic from the VLAN 100 host arrives at the VLAN switch, which inserts a VLAN tag and sends it to the VSX Gateway by way of a VLAN trunk.
-
Based on its VLAN tag, the VSX Gateway assigns the traffic to the Virtual System named VS1.
-
VS1 inspects the traffic according to its security policy and sends the traffic on to the Virtual Switch.
Based on its routing configuration, VS1 sends the traffic to VS2 by way of the Virtual Switch.
-
VS2 inspects the traffic according to its security policy, inserts a VLAN tag, and sends it to back the VLAN switch.
-
The VLAN switch sends the traffic to the server located on VLAN 200.
Route Propagation
When a Virtual System is connected to a Virtual Router or to a Virtual Switch, you can choose to propagate its static routes to adjacent Virtual Devices.
This feature enables network nodes located behind neighboring Virtual Systems to communicate without the need for manual configuration of static routes.
Route propagation works by automatically updating Virtual Device routing tables with static routes that lead to the corresponding Virtual Systems.
|
Note - Route Propagation supports only static routes that you configure in SmartConsole in the Virtual System objects. To use dynamic routes, you must configure the required dynamic settings in each required Virtual System on the VSX Gateway / each VSX Cluster Member. |
Route Propagation using a Virtual Router
When Virtual Systems are connected to a Virtual Router, VSX propagates routes by automatically adding entries to the routing table contained in the Virtual Router.
Each entry contains a route pointing to the destination subnet using the Virtual System router-side Warp Interface (wrpj
) as the next hop.
Route Propagation using a Virtual Switch
When Virtual Systems are connected to a Virtual Switch, VSX propagates routes by automatically adding entries to the routing table in each Virtual System.
Each entry contains a route pointing to the destination subnet using the Virtual System Warp Interface (wrp
) IP address.
Overlapping IP Address Space
VSX facilitates connectivity when multiple network segments share the same IP address range (IP address space).
This scenario occurs when a single VSX Gateway protects several independent networks that assign IP addresses to endpoints from the same pool of IP addresses.
Thus, it is feasible that more than one endpoint in a VSX environment will have the identical IP address, provided that each is located behind different Virtual System.
Overlapping IP address space in VSX environments is possible because each Virtual System maintains its own unique state and routing tables.
These tables can contain identical entries, but within different, segregated contexts.
Virtual Systems use NAT to facilitate mapping internal IP addresses to one or more external IP addresses.
The below figure demonstrates how traffic passes from the Internet to an internal network with overlapping IP address ranges, using NAT at each Virtual System.
In this case, Network 1 and Network 2 share the same network address pool, which might result in identical overlapping IP addresses.
To prevent this, packets originating from or targeted to these networks are processed by their respective Virtual System using NAT to translate the original/overlapping addresses to unique routable addresses.
More for Virtual Switch Route Propagation
You are not required to manually define the topology, because this is done automatically.
But there are required manual steps in the VSX objects.
To update the topology map for each Virtual System after you enable route propagation:
-
For each Virtual System object that is connected to the Virtual Switch:
-
Edit the object properties.
Make sure Anti-Spoofing and VPN features are set correctly.
-
Save the object.
-
-
Install the security policy for the affected Virtual Systems.
NAT
Virtual Systems support Network Address Translation (NAT), much in the same manner as a physical Security Gateway.
When a Virtual System, using either Static or Hide NAT, connects to a Virtual Router, you must propagate the affected routes to the Virtual Router.
To do so, you need to first define NAT addresses for Virtual Systems connected to a Virtual Router.
Dynamic Routing
The Virtual Devices can communicate and distribute routes using dynamic routing.
Each Virtual Device has its own routing daemon.
Virtual Systems support:
-
OSPF
-
RIP
-
BGP
-
PIM
Virtual Routers support:
-
OSPF